Tunnel Content Inspection

The firewall can now perform tunnel content inspection on the traffic content of cleartext tunnel protocols:
You can use tunnel content inspection to enforce Security, DoS Protection, and QoS policies on traffic in these types of tunnels and traffic nested within another cleartext tunnel. You can view inspected tunnel information to verify that tunneled traffic complies with your corporate security and usage policies.
  • In enterprise environments, you can inspect traffic tunneled using GRE or non-encrypted IPSec. For security, QoS, and reporting reasons, you want to inspect the traffic inside the tunnel.
  • In Service Provider environments, you can use GTP-U to tunnel data traffic from mobile devices. You want to inspect the inner content without terminating the tunnel protocol, and you want to record user data from users.
All firewall models support tunnel content inspection of GRE and non-encrypted IPSec. Only PA-5200 Series and VM-Series firewalls support tunnel content inspection of GTP-U.
The firewall supports tunnel content inspection on Ethernet interfaces and subinterfaces, AE interfaces, VLAN interfaces, and VPN and LSVPN tunnels. Tunnel content inspection is supported in Layer 3, Layer 2, virtual wire, and tap deployments. Tunnel content inspection works on shared gateways and on virtual system-to-virtual system communications.
  1. Create a Security policy to allow packets through the tunnel that use a specific application, such as GRE.
  2. Create a Tunnel Inspection policy that specifies the criteria for packets that meet the policy, the tunnel protocols to inspect, the maximum level of encapsulation to inspect, and separate security policies for tunnel zones, if you choose.
  3. Use the ACC to view inspected tunnel activity.
  4. View Tunnel Inspection logs and other logs for tunnel inspection information.
  5. Create a custom report about Tunnel Inspected traffic.

Related Documentation